<!DOCTYPE html>
<html lang="en-us">
  <head>

    <meta http-equiv="content-type" content="text/html; charset=utf-8">
    
<meta charset="UTF-8">
<title>Encrypting communications in Elasticsearch | Elasticsearch Guide [7.7] | Elastic</title>
<link rel="home" href="index.html" title="Elasticsearch Guide [7.7]">
<link rel="up" href="encrypting-communications.html" title="Encrypting communications">
<link rel="prev" href="ssl-tls.html" title="Setting up TLS on a cluster">
<link rel="next" href="configuring-tls-docker.html" title="Encrypting communications in an Elasticsearch Docker Container">
<meta name="DC.type" content="Learn/Docs/Elasticsearch/Reference/7.7">
<meta name="DC.subject" content="Elasticsearch">
<meta name="DC.identifier" content="7.7">
<meta name="robots" content="noindex,nofollow">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <script src="https://cdn.optimizely.com/js/18132920325.js"></script>
    <link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
    <link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
    <link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
    <link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
    <link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
    <link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
    <link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
    <link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
    <link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
    <link rel="icon" type="image/png" href="/android-chrome-192x192.png" sizes="192x192">
    <link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
    <link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
    <link rel="manifest" href="/manifest.json">
    <meta name="apple-mobile-web-app-title" content="Elastic">
    <meta name="application-name" content="Elastic">
    <meta name="msapplication-TileColor" content="#ffffff">
    <meta name="msapplication-TileImage" content="/mstile-144x144.png">
    <meta name="theme-color" content="#ffffff">
    <meta name="naver-site-verification" content="936882c1853b701b3cef3721758d80535413dbfd">
    <meta name="yandex-verification" content="d8a47e95d0972434">
    <meta name="localized" content="true">
    <meta name="st:robots" content="follow,index">
    <meta property="og:image" content="https://www.elastic.co/static/images/elastic-logo-200.png">
    <link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
    <link rel="icon" href="/favicon.ico" type="image/x-icon">
    <link rel="apple-touch-icon-precomposed" sizes="64x64" href="/favicon_64x64_16bit.png">
    <link rel="apple-touch-icon-precomposed" sizes="32x32" href="/favicon_32x32.png">
    <link rel="apple-touch-icon-precomposed" sizes="16x16" href="/favicon_16x16.png">
    <!-- Give IE8 a fighting chance -->
    <!--[if lt IE 9]>
    <script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
    <script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
    <![endif]-->
    <link rel="stylesheet" type="text/css" href="/guide/static/styles.css">
  </head>

  <!--© 2015-2021 Elasticsearch B.V. Copying, publishing and/or distributing without written permission is strictly prohibited.-->

  <body>
    <!-- Google Tag Manager -->
    <script>dataLayer = [];</script><noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-58RLH5" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
    <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-58RLH5');</script>
    <!-- End Google Tag Manager -->

    <!-- Global site tag (gtag.js) - Google Analytics -->
    <script async src="https://www.googletagmanager.com/gtag/js?id=UA-12395217-16"></script>
    <script>
      window.dataLayer = window.dataLayer || [];
      function gtag(){dataLayer.push(arguments);}
      gtag('js', new Date());
      gtag('config', 'UA-12395217-16');
    </script>

    <!--BEGIN QUALTRICS WEBSITE FEEDBACK SNIPPET-->
    <script type="text/javascript">
      (function(){var g=function(e,h,f,g){
      this.get=function(a){for(var a=a+"=",c=document.cookie.split(";"),b=0,e=c.length;b<e;b++){for(var d=c[b];" "==d.charAt(0);)d=d.substring(1,d.length);if(0==d.indexOf(a))return d.substring(a.length,d.length)}return null};
      this.set=function(a,c){var b="",b=new Date;b.setTime(b.getTime()+6048E5);b="; expires="+b.toGMTString();document.cookie=a+"="+c+b+"; path=/; "};
      this.check=function(){var a=this.get(f);if(a)a=a.split(":");else if(100!=e)"v"==h&&(e=Math.random()>=e/100?0:100),a=[h,e,0],this.set(f,a.join(":"));else return!0;var c=a[1];if(100==c)return!0;switch(a[0]){case "v":return!1;case "r":return c=a[2]%Math.floor(100/c),a[2]++,this.set(f,a.join(":")),!c}return!0};
      this.go=function(){if(this.check()){var a=document.createElement("script");a.type="text/javascript";a.src=g;document.body&&document.body.appendChild(a)}};
      this.start=function(){var a=this;window.addEventListener?window.addEventListener("load",function(){a.go()},!1):window.attachEvent&&window.attachEvent("onload",function(){a.go()})}};
      try{(new g(100,"r","QSI_S_ZN_emkP0oSe9Qrn7kF","https://znemkp0ose9qrn7kf-elastic.siteintercept.qualtrics.com/WRSiteInterceptEngine/?Q_ZID=ZN_emkP0oSe9Qrn7kF")).start()}catch(i){}})();
    </script><div id="ZN_emkP0oSe9Qrn7kF"><!--DO NOT REMOVE-CONTENTS PLACED HERE--></div>
    <!--END WEBSITE FEEDBACK SNIPPET-->

    <div id="elastic-nav" style="display:none;"></div>
    <script src="https://www.elastic.co/elastic-nav.js"></script>

    <!-- Subnav -->
    <div>
      <div>
        <div class="tertiary-nav d-none d-md-block">
          <div class="container">
            <div class="p-t-b-15 d-flex justify-content-between nav-container">
              <div class="breadcrum-wrapper"><span><a href="/guide/" style="font-size: 14px; font-weight: 600; color: #000;">Docs</a></span></div>
            </div>
          </div>
        </div>
      </div>
    </div>

    <div class="main-container">
      <section id="content">
        <div class="content-wrapper">

          <section id="guide" lang="en">
            <div class="container">
              <div class="row">
                <div class="col-xs-12 col-sm-8 col-md-8 guide-section">
                  <!-- start body -->
                  <div class="page_header">
<strong>IMPORTANT</strong>: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
<a href="../current/index.html">current release documentation</a>.
</div>
<div id="content">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="index.html">Elasticsearch Guide [7.7]</a></span>
»
<span class="breadcrumb-link"><a href="secure-cluster.html">Secure a cluster</a></span>
»
<span class="breadcrumb-link"><a href="encrypting-communications.html">Encrypting communications</a></span>
»
<span class="breadcrumb-node">Encrypting communications in Elasticsearch</span>
</div>
<div class="navheader">
<span class="prev">
<a href="ssl-tls.html">« Setting up TLS on a cluster</a>
</span>
<span class="next">
<a href="configuring-tls-docker.html">Encrypting communications in an Elasticsearch Docker Container »</a>
</span>
</div>
<div class="section xpack">
<div class="titlepage"><div><div>
<h2 class="title">
<a id="configuring-tls"></a>Encrypting communications in Elasticsearch<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/securing-communications/securing-elasticsearch.asciidoc">edit</a><a class="xpack_tag" href="/subscriptions"></a>
</h2>
</div></div></div>
<p>Elastic Stack security features enable you to encrypt traffic to, from, and within
your Elasticsearch cluster. Connections are secured using Transport Layer Security
(TLS/SSL).</p>
<div class="warning admon">
<div class="icon"></div>
<div class="admon_content">
<p>Clusters that do not have encryption enabled send all data in plain text
including passwords. If the Elasticsearch security features are enabled, unless you
have a trial license, you must configure SSL/TLS for internode-communication.</p>
</div>
</div>
<p>To enable encryption, you need to perform the following steps on each node in
the cluster:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
Verify that the <code class="literal">xpack.security.enabled</code> setting is <code class="literal">true</code>. For more
information, see <a class="xref" href="security-settings.html" title="Security settings in Elasticsearch">Security settings</a>.
</li>
<li class="listitem">
<a class="xref" href="configuring-tls.html#node-certificates" title="Generating node certificates">Generate a private key and X.509 certificate</a>.
</li>
<li class="listitem">
<p>Configure each node to:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
Required: <a class="xref" href="configuring-tls.html#tls-transport" title="Encrypting communications between nodes in a cluster">Enable TLS on the transport layer</a>.
</li>
<li class="listitem">
Recommended: <a class="xref" href="configuring-tls.html#tls-http" title="Encrypting HTTP client communications">Enable TLS on the HTTP layer</a>.
</li>
</ol>
</div>
</li>
<li class="listitem">
If you are using Active Directory user authentication,
<a class="xref" href="configuring-tls.html#tls-active-directory" title="Encrypting communications between Elasticsearch and Active Directory">encrypt communications between Elasticsearch and your Active Directory server</a>.
</li>
<li class="listitem">
If you are using LDAP user authentication,
<a class="xref" href="configuring-tls.html#tls-ldap" title="Encrypting communications between Elasticsearch and LDAP">encrypt communications between Elasticsearch and your LDAP server</a>.
</li>
</ol>
</div>
<p>For more information about encrypting communications across the Elastic Stack,
see <a class="xref" href="encrypting-communications.html" title="Encrypting communications"><em>Encrypting communications</em></a>.</p>
<div class="section">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="node-certificates"></a>Generating node certificates<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/securing-communications/node-certificates.asciidoc">edit</a>
</h3>
</div></div></div>
<p>TLS requires X.509 certificates to perform encryption and authentication of the
application that is being communicated with. In order for the communication
between nodes to be truly secure, the certificates must be validated. The
recommended approach for validating certificate authenticity in an Elasticsearch cluster
is to trust the certificate authority (CA) that signed the certificate. By doing
this, as nodes are added to your cluster they just need to use a certificate
signed by the same CA and the node is automatically allowed to join the cluster.
Additionally, it is recommended that the certificates contain subject alternative
names (SAN) that correspond to the node’s IP address and DNS name so that
hostname verification can be performed.</p>
<p>The <a href="/guide/en/elasticsearch/reference/7.7/certutil.html" class="ulink" target="_top"><code class="literal">elasticsearch-certutil</code></a> command simplifies the process
of generating certificates for the Elastic Stack. It takes care of generating a CA and
signing certificates with the CA. It can be used interactively or in a silent
mode through the use of an input file. It also supports generation of
certificate signing requests (CSR), so that a commercial- or
organization-specific CA can be used to sign the certificates. For example:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>Optional: Create a certificate authority for your Elasticsearch cluster.</p>
<p>For example, use the <code class="literal">elasticsearch-certutil ca</code> command:</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">bin/elasticsearch-certutil ca</pre>
</div>
<p>You can configure the cluster to trust all nodes that have a certificate that
has been signed by this CA.</p>
<p>The command outputs a single file, with a default name of <code class="literal">elastic-stack-ca.p12</code>.
This file is a PKCS#12 keystore that contains the public certificate for your CA
and the private key that is used to sign the certificates for each node.</p>
<p>The <code class="literal">elasticsearch-certutil</code> command also prompts you for a password to protect
the file and key. If you plan to add more nodes to your cluster in the future,
retain a copy of the file and remember its password.</p>
</li>
<li class="listitem">
<p>Generate a certificate and private key for each node in your cluster.</p>
<p>For example, use the <code class="literal">elasticsearch-certutil cert</code> command:</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">bin/elasticsearch-certutil cert --ca elastic-stack-ca.p12</pre>
</div>
<p>The output is a single PKCS#12 keystore that includes the node certificate, node
key, and CA certificate.</p>
<p>You are also prompted for a password. You can enter a password for your
certificate and key, or you can leave the password blank by pressing Enter.</p>
<p>By default <code class="literal">elasticsearch-certutil</code> generates certificates that have no hostname
information in them (that is, they do not have any Subject Alternative Name
fields). This means that you can use the certificate for every node in your
cluster, but you must turn off hostname verification as shown in the
configuration below.</p>
<p>If you want to use hostname verification within your cluster, run the
<code class="literal">elasticsearch-certutil cert</code> command once for each of your nodes and provide
the <code class="literal">--name</code>, <code class="literal">--dns</code> and <code class="literal">--ip</code> options.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>You should secure the output files, since they contain the private keys
for your instance.</p>
</div>
</div>
<p>Alternatively, if you want to use a commercial or organization-specific CA,
you can use the <code class="literal">elasticsearch-certutil csr</code> command to generate certificate
signing requests (CSR) for the nodes in your cluster. For more information, see
<a class="xref" href="certutil.html" title="elasticsearch-certutil"><em>elasticsearch-certutil</em></a>.</p>
</li>
<li class="listitem">
<p>Optional: Generate additional certificates specifically for encrypting HTTP
client communications.</p>
<p>For example, use the <code class="literal">elasticsearch-certutil http</code> command:</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">bin/elasticsearch-certutil http</pre>
</div>
<p>This command guides you through the process of generating the appropriate
certificates for use in Elasticsearch and Kibana. If you created a CA for your cluster,
you can re-use it by supplying its location when prompted.</p>
</li>
<li class="listitem">
<p>Copy the node certificates to the appropriate locations.</p>
<p>Copy the applicable files into the Elasticsearch configuration directory on each
node.</p>
<p>For each additional Elastic product that you want to configure, copy the
certificates to the relevant configuration directory.</p>
</li>
</ol>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>If you choose not to use <code class="literal">elasticsearch-certutil</code>, the certificates that
you obtain must allow for both <code class="literal">clientAuth</code> and <code class="literal">serverAuth</code> if the extended key
usage extension is present. The certificates need to be in PEM or PKCS#12
format. Although not required, it is highly recommended that the certificate
contain the DNS names and/or IP addresses of the node so that hostname
verification can be used.</p>
</div>
</div>
</div>

<div class="section xpack">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="tls-transport"></a>Encrypting communications between nodes in a cluster<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/securing-communications/tls-transport.asciidoc">edit</a><a class="xpack_tag" href="/subscriptions"></a>
</h3>
</div></div></div>
<p>The transport networking layer is used for internal communication between nodes
in a cluster. When security features are enabled, you must use TLS to ensure
that communication between the nodes is encrypted.</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<a class="xref" href="configuring-tls.html#node-certificates" title="Generating node certificates">Generate node certificates</a>.
</li>
<li class="listitem">
<p>Enable TLS and specify the information required to access the node’s
certificate.</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<p>If the signed certificate is in PKCS#12 format, add the following information to the
<code class="literal">elasticsearch.yml</code> file on each node:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate <a id="CO487-1"></a><i class="conum" data-value="1"></i>
xpack.security.transport.ssl.keystore.path: elastic-certificates.p12 <a id="CO487-2"></a><i class="conum" data-value="2"></i>
xpack.security.transport.ssl.truststore.path: elastic-certificates.p12 <a id="CO487-3"></a><i class="conum" data-value="3"></i></pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO487-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>If you used the <code class="literal">--dns</code> or <code class="literal">--ip</code> options with the <code class="literal">elasticsearch-certutil cert</code> command
and you want to enable strict hostname checking, set the verification mode to
<code class="literal">full</code>. For a description of these values, see <a class="xref" href="security-settings.html#transport-tls-ssl-settings" title="Transport TLS/SSL settings">Transport TLS/SSL settings</a>.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO487-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>If you created a separate certificate for each node, then you might need to
customize this path on each node. If the filename matches the node name, you can
use the <code class="literal">${node.name}.p12</code> format, for example.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO487-3"><i class="conum" data-value="3"></i></a></p>
</td>
<td align="left" valign="top">
<p>The <code class="literal">elasticsearch-certutil</code> outputs a PKCS#12 keystore which includes the
CA certificate as a trusted certificate entry. This allows for the keystore to
also be used as a truststore. In this case, the path value should match
the <code class="literal">keystore.path</code> value.
Note, however, that this is not the general rule. There are keystores that cannot be
used as truststores, only
<a href="/guide/en/elasticsearch/reference/7.7/security-settings.html#pkcs12-truststore-note" class="ulink" target="_top">specifically crafted ones can</a></p>
</td>
</tr>
</table>
</div>
</li>
<li class="listitem">
<p>If the certificate is in PEM format, add the following information to the
<code class="literal">elasticsearch.yml</code> file on each node:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack.security.transport.ssl.enabled: true
xpack.security.transport.ssl.verification_mode: certificate <a id="CO488-1"></a><i class="conum" data-value="1"></i>
xpack.security.transport.ssl.key: /home/es/config/node01.key <a id="CO488-2"></a><i class="conum" data-value="2"></i>
xpack.security.transport.ssl.certificate: /home/es/config/node01.crt <a id="CO488-3"></a><i class="conum" data-value="3"></i>
xpack.security.transport.ssl.certificate_authorities: [ "/home/es/config/ca.crt" ] <a id="CO488-4"></a><i class="conum" data-value="4"></i></pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO488-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>If you used the <code class="literal">--dns</code> or <code class="literal">--ip</code> options with the <code class="literal">elasticsearch-certutil cert</code> command
and you want to enable strict hostname checking, set the verification mode to
<code class="literal">full</code>. For a description of these values, see <a class="xref" href="security-settings.html#transport-tls-ssl-settings" title="Transport TLS/SSL settings">Transport TLS/SSL settings</a>.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO488-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>The full path to the node key file. This must be a location within the
Elasticsearch configuration directory.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO488-3"><i class="conum" data-value="3"></i></a></p>
</td>
<td align="left" valign="top">
<p>The full path to the node certificate. This must be a location within the
Elasticsearch configuration directory.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO488-4"><i class="conum" data-value="4"></i></a></p>
</td>
<td align="left" valign="top">
<p>An array of paths to the CA certificates that should be trusted. These paths
must be a location within the Elasticsearch configuration directory.</p>
</td>
</tr>
</table>
</div>
</li>
</ul>
</div>
</li>
<li class="listitem">
<p>If you secured the node’s certificate with a password, add the password to
your Elasticsearch keystore:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<p>If the signed certificate is in PKCS#12 format, use the following commands:</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">bin/elasticsearch-keystore add xpack.security.transport.ssl.keystore.secure_password

bin/elasticsearch-keystore add xpack.security.transport.ssl.truststore.secure_password</pre>
</div>
</li>
<li class="listitem">
<p>If the certificate is in PEM format, use the following commands:</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">bin/elasticsearch-keystore add xpack.security.transport.ssl.secure_key_passphrase</pre>
</div>
</li>
</ul>
</div>
</li>
<li class="listitem">
<p>Restart Elasticsearch.</p>
<p>You must perform a full cluster restart. Nodes which are configured to use TLS
cannot communicate with nodes that are using unencrypted networking (and
vice-versa). After enabling TLS you must restart all nodes in order to maintain
communication across the cluster.</p>
</li>
</ol>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
All TLS-related node settings are considered to be highly sensitive and
therefore are not exposed via the
<a href="/guide/en/elasticsearch/reference/7.7/cluster-nodes-info.html#cluster-nodes-info" class="ulink" target="_top">nodes info API</a> For more
information about any of these settings, see <a class="xref" href="security-settings.html" title="Security settings in Elasticsearch">Security settings</a>.
</li>
<li class="listitem">
Elasticsearch monitors all files such as certificates, keys, keystores, or truststores
that are configured as values of TLS-related node settings. If you update any of
these files (for example, when your hostnames change or your certificates are
due to expire), Elasticsearch reloads them. The files are polled for changes at
a frequency determined by the global Elasticsearch <code class="literal">resource.reload.interval.high</code>
setting, which defaults to 5 seconds.
</li>
</ul>
</div>
</div>
</div>
</div>

<div class="section xpack">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="tls-http"></a>Encrypting HTTP client communications<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/securing-communications/tls-http.asciidoc">edit</a><a class="xpack_tag" href="/subscriptions"></a>
</h3>
</div></div></div>
<p>When security features are enabled, you can optionally use TLS to ensure that
communication between HTTP clients and the cluster is encrypted.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>Enabling TLS on the HTTP layer is strongly recommended but is not required.
If you enable TLS on the HTTP layer in Elasticsearch, then you might need to make
configuration changes in other parts of the Elastic Stack and in any Elasticsearch clients that
you use.</p>
</div>
</div>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>If you have not done so already, <a class="xref" href="configuring-tls.html#node-certificates" title="Generating node certificates">generate node certificates</a>.</p>
<p>In particular, you need the files that are generated by the following command:</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">bin/elasticsearch-certutil http</pre>
</div>
<p>This command generates a zip file that contains certificates and keys for use in
Elasticsearch and Kibana. Each folder contains a readme that explains how to use the files.</p>
</li>
<li class="listitem">
<p>Verify that you’ve copied the output files to the appropriate locations, as
specified in the readme files.</p>
<p>For example, copy the <code class="literal">http.p12</code> file from the <code class="literal">elasticsearch</code> folder into a
directory within the Elasticsearch configuration directory on each node. If you chose to
generate one certificate per node, copy the appropriate <code class="literal">http.p12</code> file to each
node. If you want to use Kibana to access this cluster, copy the
<code class="literal">elasticsearch-ca.pem</code> file from the <code class="literal">kibana</code> folder into the Kibana
configuration directory.</p>
</li>
<li class="listitem">
<p>Enable TLS and specify the information required to access the node’s
certificate. For example:</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>Update the <code class="literal">elasticsearch.yml</code> file on each node with the location of the
certificates.</p>
<p>If the certificates are in PKCS#12 format:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.keystore.path: "http.p12"</pre>
</div>
<p>If you have certificates in PEM format:</p>
<div class="pre_wrapper lang-yaml">
<pre class="programlisting prettyprint lang-yaml">xpack.security.http.ssl.enabled: true
xpack.security.http.ssl.key:  /home/es/config/node1_http.key <a id="CO489-1"></a><i class="conum" data-value="1"></i>
xpack.security.http.ssl.certificate: /home/es/config/node1_http.crt <a id="CO489-2"></a><i class="conum" data-value="2"></i>
xpack.security.http.ssl.certificate_authorities: [ "/home/es/config/ca.crt" ] <a id="CO489-3"></a><i class="conum" data-value="3"></i></pre>
</div>
<div class="calloutlist">
<table border="0" summary="Callout list">
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO489-1"><i class="conum" data-value="1"></i></a></p>
</td>
<td align="left" valign="top">
<p>The full path to the node key file. This must be a location within the
Elasticsearch configuration directory.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO489-2"><i class="conum" data-value="2"></i></a></p>
</td>
<td align="left" valign="top">
<p>The full path to the node certificate. This must be a location within the
Elasticsearch configuration directory.</p>
</td>
</tr>
<tr>
<td align="left" valign="top" width="5%">
<p><a href="#CO489-3"><i class="conum" data-value="3"></i></a></p>
</td>
<td align="left" valign="top">
<p>An array of paths to the CA certificates that should be trusted. These paths
must be a location within the Elasticsearch configuration directory.</p>
</td>
</tr>
</table>
</div>
</li>
<li class="listitem">
<p>If you secured the keystore or the private key with a password, add that password to a secure
setting in Elasticsearch.</p>
<p>If the certificates are in PKCS#12 format:</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">bin/elasticsearch-keystore add xpack.security.http.ssl.keystore.secure_password</pre>
</div>
<p>If the certificates are in PEM format:</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">bin/elasticsearch-keystore add xpack.security.http.ssl.secure_key_passphrase</pre>
</div>
</li>
</ol>
</div>
</li>
<li class="listitem">
Optional: If you want to use Kibana, follow the instructions in the readme
provided by the <code class="literal">elasticsearch-certutil http</code> command or see
<a href="/guide/en/kibana/7.7/configuring-tls.html" class="ulink" target="_top">Encrypting communications in Kibana</a>.
</li>
<li class="listitem">
Restart Elasticsearch.
</li>
</ol>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
All TLS-related node settings are considered to be highly sensitive and
therefore are not exposed via the
<a href="/guide/en/elasticsearch/reference/7.7/cluster-nodes-info.html#cluster-nodes-info" class="ulink" target="_top">nodes info API</a> For more
information about any of these settings, see <a class="xref" href="security-settings.html" title="Security settings in Elasticsearch">Security settings</a>.
</li>
<li class="listitem">
Elasticsearch monitors all files such as certificates, keys, keystores, or truststores
that are configured as values of TLS-related node settings. If you update any of
these files (for example, when your hostnames change or your certificates are
due to expire), Elasticsearch reloads them. The files are polled for changes at
a frequency determined by the global Elasticsearch <code class="literal">resource.reload.interval.high</code>
setting, which defaults to 5 seconds.
</li>
</ul>
</div>
</div>
</div>
</div>

<div class="section xpack">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="tls-active-directory"></a>Encrypting communications between Elasticsearch and Active Directory<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/securing-communications/tls-ad.asciidoc">edit</a><a class="xpack_tag" href="/subscriptions"></a>
</h3>
</div></div></div>
<p>To protect the user credentials that are sent for authentication, it’s highly
recommended to encrypt communications between Elasticsearch and your Active Directory
server. Connecting via SSL/TLS ensures that the identity of the Active Directory
server is authenticated before Elasticsearch transmits the user credentials and the
usernames and passwords are encrypted in transit.</p>
<p>Clients and nodes that connect via SSL/TLS to the Active Directory server need
to have the Active Directory server’s certificate or the server’s root CA
certificate installed in their keystore or truststore.</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
Create the realm configuration for the <code class="literal">xpack.security.authc.realms</code> namespace
in the <code class="literal">elasticsearch.yml</code> file. See <a class="xref" href="active-directory-realm.html#ad-realm-configuration" title="Configuring an Active Directory realm">Configuring an Active Directory realm</a>.
</li>
<li class="listitem">
Set the <code class="literal">url</code> attribute in the realm configuration to specify the LDAPS protocol
and the secure port number. For example, <code class="literal">url: ldaps://ad.example.com:636</code>.
</li>
<li class="listitem">
<p>Configure each node to trust certificates signed by the certificate authority
(CA) that signed your Active Directory server certificates.</p>
<p>The following example demonstrates how to trust a CA certificate (<code class="literal">cacert.pem</code>),
which is located within the configuration directory:</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">xpack:
  security:
    authc:
      realms:
        active_directory:
          ad_realm:
            order: 0
            domain_name: ad.example.com
            url: ldaps://ad.example.com:636
            ssl:
              certificate_authorities: [ "ES_PATH_CONF/cacert.pem" ]</pre>
</div>
<p>The CA cert must be a PEM encoded certificate.</p>
<p>For more information about these settings, see <a class="xref" href="security-settings.html#ref-ad-settings" title="Active Directory realm settings">Active Directory realm settings</a>.</p>
</li>
<li class="listitem">
Restart Elasticsearch.
</li>
</ol>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>By default, when you configure Elasticsearch to connect to Active Directory
      using SSL/TLS, it attempts to verify the hostname or IP address
      specified with the <code class="literal">url</code> attribute in the realm configuration with the
      values in the certificate. If the values in the certificate and realm
      configuration do not match, Elasticsearch does not allow a connection to the
      Active Directory server. This is done to protect against man-in-the-middle
      attacks. If necessary, you can disable this behavior by setting the
      <code class="literal">ssl.verification_mode</code> property to <code class="literal">certificate</code>.</p>
</div>
</div>
</div>

<div class="section xpack">
<div class="titlepage"><div><div>
<h3 class="title">
<a id="tls-ldap"></a>Encrypting communications between Elasticsearch and LDAP<a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/elasticsearch/edit/7.7/x-pack/docs/en/security/securing-communications/tls-ldap.asciidoc">edit</a><a class="xpack_tag" href="/subscriptions"></a>
</h3>
</div></div></div>
<p>To protect the user credentials that are sent for authentication in an LDAP
realm, it’s highly recommended to encrypt communications between Elasticsearch and your
LDAP server. Connecting via SSL/TLS ensures that the identity of the LDAP server
is authenticated before Elasticsearch transmits the user credentials and the
contents of the connection are encrypted. Clients and nodes that connect via
TLS to the LDAP server need to have the LDAP server’s certificate or the
server’s root CA certificate installed in their keystore or truststore.</p>
<p>For more information, see <a class="xref" href="ldap-realm.html" title="LDAP user authentication">LDAP user authentication</a>.</p>
<div class="olist orderedlist">
<ol class="orderedlist">
<li class="listitem">
<p>Configure the realm’s TLS settings on each node to trust certificates signed
by the CA that signed your LDAP server certificates. The following example
demonstrates how to trust a CA certificate, <code class="literal">cacert.pem</code>, located within the
Elasticsearch configuration directory (ES_PATH_CONF):</p>
<div class="pre_wrapper lang-shell">
<pre class="programlisting prettyprint lang-shell">xpack:
  security:
    authc:
      realms:
        ldap:
          ldap1:
            order: 0
            url: "ldaps://ldap.example.com:636"
            ssl:
              certificate_authorities: [ "ES_PATH_CONF/cacert.pem" ]</pre>
</div>
<p>The CA certificate must be a PEM encoded.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>You can also specify the individual server certificates rather than the CA
certificate, but this is only recommended if you have a single LDAP server or
the certificates are self-signed.</p>
</div>
</div>
</li>
<li class="listitem">
Set the <code class="literal">url</code> attribute in the realm configuration to specify the LDAPS
protocol and the secure port number. For example, <code class="literal">url: ldaps://ldap.example.com:636</code>.
</li>
<li class="listitem">
Restart Elasticsearch.
</li>
</ol>
</div>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>By default, when you configure Elasticsearch to connect to an LDAP server
      using SSL/TLS, it attempts to verify the hostname or IP address
      specified with the <code class="literal">url</code> attribute in the realm configuration with the
      values in the certificate. If the values in the certificate and realm
      configuration do not match, Elasticsearch does not allow a connection to the
      LDAP server. This is done to protect against man-in-the-middle attacks. If
      necessary, you can disable this behavior by setting the
      <code class="literal">ssl.verification_mode</code> property to <code class="literal">certificate</code>.</p>
</div>
</div>
</div>

</div>
<div class="navfooter">
<span class="prev">
<a href="ssl-tls.html">« Setting up TLS on a cluster</a>
</span>
<span class="next">
<a href="configuring-tls-docker.html">Encrypting communications in an Elasticsearch Docker Container »</a>
</span>
</div>
</div>

                  <!-- end body -->
                </div>
                <div class="col-xs-12 col-sm-4 col-md-4" id="right_col">
                  <div id="rtpcontainer" style="display: block;">
                    <div class="mktg-promo">
                      <h3>Most Popular</h3>
                      <ul class="icons">
                        <li class="icon-elasticsearch-white"><a href="https://www.elastic.co/webinars/getting-started-elasticsearch?baymax=default&amp;elektra=docs&amp;storm=top-video">Get Started with Elasticsearch: Video</a></li>
                        <li class="icon-kibana-white"><a href="https://www.elastic.co/webinars/getting-started-kibana?baymax=default&amp;elektra=docs&amp;storm=top-video">Intro to Kibana: Video</a></li>
                        <li class="icon-logstash-white"><a href="https://www.elastic.co/webinars/introduction-elk-stack?baymax=default&amp;elektra=docs&amp;storm=top-video">ELK for Logs &amp; Metrics: Video</a></li>
                      </ul>
                    </div>
                  </div>
                </div>
              </div>
            </div>
          </section>

        </div>


<div id="elastic-footer"></div>
<script src="https://www.elastic.co/elastic-footer.js"></script>
<!-- Footer Section end-->

      </section>
    </div>

<script src="/guide/static/jquery.js"></script>
<script type="text/javascript" src="/guide/static/docs.js"></script>
<script type="text/javascript">
  window.initial_state = {}</script>
  </body>
</html>
